CVE-2026-46169 Linux CVE debrief

Who should care

Linux system administrators, kernel maintainers, security teams managing systems that process HFS+ filesystem images, virtualization platforms allowing guest filesystem access, and forensic analysis environments handling untrusted disk images

Technical summary

The vulnerability exists in fs/hfsplus/catalog.c where hfs_brec_read() reads catalog records without validating that entrylength matches the expected record size. For catalog thread records (type HFSPLUS_FOLDER_THREAD or HFSPLUS_FILE_THREAD), the expected size is 520 bytes, but corrupted filesystems may specify smaller sizes. The function only validates that entrylength does not exceed buffer size, not that it meets minimum requirements. When a 26-byte record is read into a 520-byte structure, 494 bytes remain uninitialized. The hfsplus_cat_build_key_uni() function copies this data, and hfsplus_strcasecmp() uses uninitialized nodeName.length bytes as indices into the case_fold_table array. The fix introduces hfsplus_brec_read_cat() with type-aware size validation: fixed 520 bytes for folder/file records, variable size for thread records with HFSPLUS_MIN_THREAD_SZ check before accessing nodeName.length. Defensive initialization of tmp in hfsplus_find_cat() provides additional protection.

Defensive priority

high

Recommended defensive actions

• Apply kernel updates from official Linux stable tree once available for your distribution
• Restrict mounting of untrusted HFS+ filesystem images
• Monitor for kernel KMSAN warnings related to hfsplus_strcasecmp or hfs_brec_read
• Review systems that process external HFS+ filesystem images for isolation

Evidence notes

Vulnerability confirmed via official Linux kernel stable tree commits. Syzbot reported the KMSAN uninit-value issue. Fix validated through multiple stable kernel branches.

Official resources